From owner-freebsd-questions@freebsd.org  Tue Dec 20 16:16:40 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1263FC89274
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Tue, 20 Dec 2016 16:16:40 +0000 (UTC)
 (envelope-from citrin+bsd@citrin.ru)
Received: from hz.citrin.ru (hz.citrin.ru [88.198.212.3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C02D1187B
 for <freebsd-questions@freebsd.org>; Tue, 20 Dec 2016 16:16:39 +0000 (UTC)
 (envelope-from citrin+bsd@citrin.ru)
Received: from x220.lan (c-24-60-168-172.hsd1.ct.comcast.net [24.60.168.172])
 by hz.citrin.ru (Postfix) with ESMTPSA id 7FC70286AB2
 for <freebsd-questions@freebsd.org>; Tue, 20 Dec 2016 16:16:30 +0000 (UTC)
Subject: Re: blacklistd(8) - entries don't removed
To: freebsd-questions@freebsd.org
References: <5ee1dcc7-643b-a7b1-7d1c-1017599bdfe5@citrin.ru>
 <5844BA83.8030601@gmail.com>
From: Anton Yuzhaninov <citrin+bsd@citrin.ru>
Message-ID: <ae3f5321-c78a-c6cd-e9b7-45d55f6a657d@citrin.ru>
Date: Tue, 20 Dec 2016 11:16:29 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <5844BA83.8030601@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrin.ru; s=s0;
 t=1482250590; bh=tApbf/n3b7Vcy8GTdj2JlpUaAFnajquC1BgbI1zo5yA=;
 h=Subject:To:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding;
 b=4EezOBzgyRR3QlRyjpHJYpl1gj+2+PBok9TYvIDbGiz2AfeklExserqO7C/okd5pGLkKmY+IKD3eDmdx+GOZSurMYgHZIZt6l0GykhBlbDv1MOoROcm1yqOQeE31dQxoCLOoMplj/OmdLOcZRLbYKHe8pKLJNm1VkMb7X1Sdi/4=
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2016 16:16:40 -0000

On 12/04/16 19:53, Ernie Luzar wrote:
> Anton Yuzhaninov wrote:
>> I started to use blacklistd(8) to protect sshd from bruteforce.
>>
>> Entries are added to ipfw table via controlprog but never removed.
>>
>> Blocked hosts after some time are removed from state database but even in
>> blacklistd -C /usr/local/libexec/blacklistd-helper -r -d -v
>> I see no attempts to run blacklistd-helper rem

It turned out, that blacklistd expects string OK from blacklistd-helper 
script.

echo 'OK'
in script is workaround working for me.

Some time ago this was committed to head:
https://svnweb.freebsd.org/changeset/base/306695

This behavior of blacklistd is unexpected and undocumented in man though.

> Seems your the first person to use this new function in 11.0. Read its
> man page for email of person who ported this from openbsd and contact
> him directly.

It was ported from NetBSD and in NetBSD 7.0.2 blacklistd has the same 
problem - script should print 'OK' string.

I don't like this, but it seems to be not a bug, but a bad designed feature.